Close Icon
We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy. By continuing to use the website, you consent to our use of cookies.

This is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

China Cybersecurity Law Catches Pharma Firms Unawares

China’s first cyber security law came into effect in June, but some pharma companies do not realize they need to comply.

June 2017 saw a new cyber security law came into force in China, however, some companies may not be aware of the new law and therefore may not be complying with new requirements, according to the law firm CMS.

The new law has a broad coverage and applies to all industries and sectors. Pharmaceutical companies are likely to be subject to requirements governing the collection, processing, storage, cross-border transfer and use of personal and other important data, CMS told the Pink Sheet.

“Some traditional pharma companies do not pay sufficient attention to or even realize that they have fallen into the regulatory regime governing digital businesses” - CMS

“With the rapid development of the digital health industry, more traditional pharma companies have expanded their business and started to become an online service operator or a manufacturer of connected medical devices. As such, more complex regulatory requirements will apply,” said the law firm.

However, CMS observes that “some traditional pharma companies do not pay sufficient attention to or even realize that they have fallen into the regulatory regime governing digital businesses, including the Cybersecurity Law and a series of administrative licensing requirements.”

Consequences for failing to comply can be heavy and companies could even see their business licenses revoked. In less serious cases, warnings or fines can be issued. “Failing to comply might also have [a] negative effect on a company's daily operation and reputation.”

Companies that are not familiar with China’s cybersecurity regulatory regime should undertake a cybersecurity compliance audit, CMS advises. Then, with the help of legal and technical experts they can work out how to improve their compliance status.

CMS further advises companies to pay attention to how different authorities will formulate and implement different rules and standards within their jurisdictions to guide application of the new law.

What The Law Says

The new law has a broad reach and applies to the establishment, operation, maintenance and usage of networks and to the supervision and management of network security within mainland China. It focuses on three main aspects: the protection of personal information; the manufacturing and use of safe and controllable network products; and the security of network operation and online service provision, clarifies CMS.

Some legal requirements governing the security of network operations, online service provision, the quality of network products and the protection of personal information were previously in place, says CMS. The new law puts new emphasis on these requirements from a cybersecurity perspective and also introduces new obligations concerning critical information infrastructure, the cross border transfer of data and security assessments and examinations for network products.

CMS points out that the law sets out a number of compliance requirements. These include:

taking the necessary technical measures to protect operational security, manufacturing and using safe and controllable products; and

complying with certain obligations when collecting, processing and using personal information.

The law also guarantees “cyber sovereignty,” which as CMS explains, means that China can independently choose its own cyber development path and their own model of regulation. Nevertheless, with its new law, China “has no intention to provide unfair treatment to foreign operators,” says CMS. “China will work together with the international community to uphold cyber sovereignty, promote fair and equitable global internet governance and bring about a more open, inclusive and secure cyberspace.”

Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. VAT GB365462636. Informa UK Limited is part of Informa PLC.